Lucene search

Veracode Vulnerability DatabaseVERACODE:37436

HistoryOct 07, 2022 - 5:59 a.m.

Information Disclosure

2022-10-0705:59:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

codeigniter4

framework

information disclosure

vulnerability

set cookie function

configuration

security

internal data

0.001 Low

EPSS

Percentile

32.1%

JSON

codeigniter4/framework is vulnerable to information disclosure. The vulnerability exists in the set_cookie function because it does not reflect setting $secure or $httponly values to true in config or cookie, which exposes them to scripts, allowing an attacker to gain access to internal data.

CPENameOperatorVersion
codeigniter4/frameworklev4.2.6
codeigniter4/frameworklev4.2.6

CPE	Name	Operator	Version
	codeigniter4/framework	le	v4.2.6
	codeigniter4/framework	le	v4.2.6

References

codeigniter4.github.io/userguide/helpers/cookie_helper.html#set_cookie

codeigniter4.github.io/userguide/outgoing/response.html#CodeIgniter%5CHTTP%5CResponse::setCookie

developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

github.com/codeigniter4/CodeIgniter4/issues/6540

github.com/codeigniter4/CodeIgniter4/pull/6544

github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp

github.com/codeigniter4/framework/commit/011ce3bbda6f85930075a9b8fecbee01c4b23ab9

www.cve.org/CVERecord?id=CVE-2022-39284

0.001 Low

EPSS

Percentile

32.1%

JSON

Related for VERACODE:37436